ansible-personal/roles/nginx/templates/blank-vhost.conf.j2

{{ ansible_managed | comment }}

# default blank vhost
#
# clients asking for "example.com" should only get a response if we have
# a vhost serving that domain.
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;

    return 444;
}
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    server_name _;

    # "snakeoil" certificate (self signed!)
    ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
    ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;

    ssl_session_timeout {{ nginx_ssl_session_timeout }};
    ssl_session_cache {{ nginx_ssl_session_cache }};
    ssl_buffer_size {{ nginx_ssl_buffer_size }};
    ssl_dhparam {{ nginx_ssl_dhparam }};
    ssl_protocols {{ nginx_ssl_protocols }};
    ssl_ciphers "{{ tls_cipher_suite }}";
    ssl_prefer_server_ciphers on;

    # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
    # when a restart is performed the previous key is lost, which resets all previous
    # sessions. The fix for this is to setup a manual rotation mechanism:
    # http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
    #
    # Note that you'll have to define and rotate the keys securely by yourself. In absence
    # of such infrastructure, consider turning off session tickets:
    ssl_session_tickets off;

    return 444;
}
Adjust ansible_managed to use comment filter We don't need to comment the ansible_managed block manually. 2019-01-10 11:50:54 +01:00			`{{ ansible_managed \| comment }}`
roles/nginx: Add "ansible managed" string to configs Generates a placeholder text to say that the file is managed by ansible. 2016-06-27 16:50:49 +02:00
roles/nginx: Add blank vhost For security and predictability clients should only get a reponse if they request a hostname we are actually hosting. If TLS is in use then this will use a self-signed snakeoil cert for an HTTPS-enabled blank, default vhost. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-06-04 22:30:06 +02:00			`# default blank vhost`
			`#`
			`# clients asking for "example.com" should only get a response if we have`
			`# a vhost serving that domain.`
			`server {`
roles/nginx: Use default_server instead of default Seems to be the new keyword for quite some time now, despite not causing an error: http://nginx.org/en/docs/http/server_names.html 2016-04-25 20:48:36 +02:00			`listen 80 default_server;`
			`listen [::]:80 default_server;`
Finish moving logic and variables from nginx_tls_vhosts to nginx_vhosts Everything is TLS now (whether self-signed or not), so it's pointless to distinguish. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-12-09 23:14:47 +01:00			`server_name _;`

roles/nginx: Return HTTP 444 for requests to invalid hostnames 444 is a special nginx return code that means the request was closed without a response, see: http://nginx.org/en/docs/http/request_processing.html 2016-04-25 20:45:21 +02:00			`return 444;`
Finish moving logic and variables from nginx_tls_vhosts to nginx_vhosts Everything is TLS now (whether self-signed or not), so it's pointless to distinguish. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-12-09 23:14:47 +01:00			`}`
			`server {`
roles/nginx: Use default_server instead of default Seems to be the new keyword for quite some time now, despite not causing an error: http://nginx.org/en/docs/http/server_names.html 2016-04-25 20:48:36 +02:00			`listen 443 ssl http2 default_server;`
roles/nginx: Add IPv6 listener in default HTTPS vhost 2016-04-25 20:49:41 +02:00			`listen [::]:443 ssl http2 default_server;`
roles/nginx: Add blank vhost For security and predictability clients should only get a reponse if they request a hostname we are actually hosting. If TLS is in use then this will use a self-signed snakeoil cert for an HTTPS-enabled blank, default vhost. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-06-04 22:30:06 +02:00			`server_name _;`

			`# "snakeoil" certificate (self signed!)`
			`ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;`
			`ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;`

			`ssl_session_timeout {{ nginx_ssl_session_timeout }};`
			`ssl_session_cache {{ nginx_ssl_session_cache }};`
			`ssl_buffer_size {{ nginx_ssl_buffer_size }};`
			`ssl_dhparam {{ nginx_ssl_dhparam }};`
			`ssl_protocols {{ nginx_ssl_protocols }};`
			`ssl_ciphers "{{ tls_cipher_suite }}";`
			`ssl_prefer_server_ciphers on;`

			`# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and`
			`# when a restart is performed the previous key is lost, which resets all previous`
			`# sessions. The fix for this is to setup a manual rotation mechanism:`
			`# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx`
			`#`
			`# Note that you'll have to define and rotate the keys securely by yourself. In absence`
			`# of such infrastructure, consider turning off session tickets:`
			`ssl_session_tickets off;`

roles/nginx: Return HTTP 444 for requests to invalid hostnames 444 is a special nginx return code that means the request was closed without a response, see: http://nginx.org/en/docs/http/request_processing.html 2016-04-25 20:45:21 +02:00			`return 444;`
roles/nginx: Add blank vhost For security and predictability clients should only get a reponse if they request a hostname we are actually hosting. If TLS is in use then this will use a self-signed snakeoil cert for an HTTPS-enabled blank, default vhost. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-06-04 22:30:06 +02:00			`}`